Autor
////////////////////////////////////////////////////////////////////////////////
/////// Multiple Vulnerabilities on "Cablemodem Motorola SBG900"
/////// preth00nker[at]gmail.com
/////// By preth00nker .. Using Mexican Skill :]
///////
////////////////////////////////////////////////////////////////////////////////
[Introduction]
>>Quoted from http://broadband.motorola.com/consumers/products/sbg900/
"The Surfboard(R) SBG wireless cable modem gateway offers a fast and secure
connection, with the convenience and flexibility of wireless networking all in
one, Roam throughout home or office without losing your network connection."
[Features]
This modem offers an administration web page where the current configuration is
showed/edited. This can be accessed through a conventional Web-browser on port
80 on the url: http://192.168.0.1 (default).
[The validation]
This portal requires an administrator account. Upon successful authentication a
unique session-ID is issued, it has an expiration time limit but it is not
tracked for the client machine (as a cookie or something).
[The input validation error]
An attacker can take advantage of a bad input validation vulnerability in the
hostname field. Any person can change the hostname, for example in linux editing
the file /etc/hostname. This would be reflected in the modem administration page
in Gateway/status.
[Vulnerabilities]
- HTML injection
- XSS
- XSRF
- Not enough Session/Source validation
[PoCs]
- HTML injection
Editing the /etc/hostname (on my box) and adding some stuff like:
"<H1>Hellow-world"
- XSS
By inspecting the source code of the Gateway/status page we can see that the
injected string is reflected on 2 parts. They first pass through a javascript
function that prints the string on a table, so the HTML injection is notable in
the table, and the XSS can be invoked from the original function. Try:
"+window.location.search+" (using quotes)
- XSRF
If we use the previous string we will take the arguments of the current page, we
can see the session-ID printed on the table, it could be used in some illicit
Get/Post method.
- Not enough Session/Source validation
Once we get the Sessionid, we could just use our session from another machine
like this:
http://102.168.0.1/left.asp?sessionId=xxxxx
[Confirmed Affected versions (firmware)]
Model: SURFboard SBG900
Software version: SBG900-2.1.15.0-SCM00-NOSH
Hardware version: 3
Greats: hkm [hakim.ws], nitorus [nitr0us.blogspot.com]
[EOF]
follow the url https://www.underground.org.mx/index.php?action=dlattach;topic=25186.0;attach=3037 for get the poc
|
 |
Bienvenido(a), Visitante. Por favor Ingresar o Registrarse ¿Perdiste tu email de activación?. |
En línea
- 
